public PermissionDescriptor(string contentPath, IUser user, PermissionType permissionType, PermissionValue permissionValue)
{
AffectedPath = contentPath;
AffectedUser = user;
PType = permissionType;
NewValue = permissionValue;
}
public void SetPermission(ISecurityMember securityMember, bool isInheritable, PermissionType permissionType, PermissionValue permissionValue)
{
if (securityMember == null)
throw new ArgumentNullException("securityMember");
if (permissionType == null)
throw new ArgumentNullException("permissionType");
Assert(PermissionType.SetPermissions);
var entry = PermissionEvaluator.Instance.GetExplicitEntry(this._node.Path, securityMember.Id);
var allowBits = 0;
var denyBits = 0;
if (entry != null)
{
allowBits = entry.AllowBits;
denyBits = entry.DenyBits;
}
SetBits(ref allowBits, ref denyBits, permissionType, permissionValue);
var memberId = securityMember.Id;
var permSet = new PermissionSet(memberId, isInheritable, allowBits, denyBits);
entry = permSet.ToEntry(this.NodeId);
DataProvider.Current.SetPermission(entry);
Reset();
}
internal AclEditor SetPermission(int principalId, bool propagates, PermissionType permissionType, PermissionValue permissionValue)
{
var entry = GetEntry(principalId, propagates);
var perm = GetSnPerm(entry, permissionType);
int allowBits;
int denyBits;
entry.GetPermissionBits(out allowBits, out denyBits);
SecurityHandler.SetBits(ref allowBits, ref denyBits, permissionType, permissionValue);
entry.SetPermissionsBits(allowBits, denyBits);
return this;
}
private static string GetMessage(string msg, string path, int nodeId, PermissionType permissionType, IUser user)
{
var sb = new StringBuilder(msg ?? "Access denied.");
if (path != null)
sb.Append(" Path: ").Append(path);
if (nodeId != 0)
sb.Append(" NodeId: ").Append(nodeId);
if (permissionType != null)
sb.Append(" PermissionType: ").Append(permissionType.Name);
if (user != null)
sb.Append(" User: "******" UserId: ").Append(user.Id);
return sb.ToString();
}
/*!!!*/ private static Exception GetAccessDeniedException(string path, int creatorId, int lastModifierId, string message, PermissionType[] permissionTypes, IUser user)
{
//TODO: #### az exception-ben legyen informacio, hogy a see pattant-e el!
PermissionType deniedPermission = null;
foreach (var permType in permissionTypes)
{
if (!HasSubTreePermission(path, creatorId, lastModifierId, permType))
{
deniedPermission = permType;
break;
}
}
if (deniedPermission == null)
throw new SenseNetSecurityException(path, null, user);
if (message != null)
throw new SenseNetSecurityException(path, deniedPermission, user, message);
else
throw new SenseNetSecurityException(path, deniedPermission, user);
}
//======================================================================================================== Administration methods
public void SetPermission(IUser user, bool isInheritable, PermissionType permissionType, PermissionValue permissionValue)
{
if (user == null)
throw new ArgumentNullException("user");
SetPermission(user as ISecurityMember, isInheritable, permissionType, permissionValue);
}
public SenseNetSecurityException(int nodeId, PermissionType permissionType, IUser user, string message)
: base(GetMessage(message, null, nodeId, permissionType, user)) { }
internal PermissionValue GetSubtreePermission(string path, IUser user, bool isCreator, bool isLastModifier, PermissionType[] permissionTypes)
{
if (user.Id == -1)
return PermissionValue.Allow;
//======== #1: startbits: getpermbits
//==>
var principals = GetPrincipals(user, isCreator, isLastModifier);
var allow = 0;
var deny = 0;
var firstPermInfo = GetFirstInfo(path);
if (firstPermInfo.Path == path)
firstPermInfo.AggregateLevelOnlyValues(principals, ref allow, ref deny);
for (var permInfo = firstPermInfo; permInfo != null; permInfo = permInfo.Inherits ? permInfo.Parent : null)
permInfo.AggregateEffectiveValues(principals, ref allow, ref deny);
//==<
var mask = GetPermissionMask(permissionTypes);
if ((deny & mask) != 0)
return PermissionValue.Deny;
if ((allow & mask) != mask)
return PermissionValue.NonDefined;
// +r +1+++ | +1_++ | +1+++
// +r/a +1_++ | +1+++ | +1-++
// ==============|=======|=======
// +++ | _++ | -++
// +r +1+++ | +1_++ | +1+++
// +r/a -1_++ | -1+++ | -1-++
// ==============|=======|=======
// +++ | _++ | -++
// +r +1+++ | +1_++ | +1+++
// -r/a +1_++ | +1+++ | +1-++
// ==============|=======|=======
// _++ | _++ | -++
// nem fugg a permissionset.inheritable ertektol
// denybits: or, break: nem kell ujraszamolni
// allowbits or, break: ujraszamolni
//PermissionInfo subTreePermInfo;
//if (entries.TryGetValue(path, out subTreePermInfo))
//{
// subTreePermInfo.GetSubtreePermission(path, principals, isCreator, isLastModifier, mask, ref allow, ref deny);
//}
//else
//{
var p = path + "/";
var permInfos = from key in permissionTable.Keys where key.StartsWith(p) orderby key select permissionTable[key];
foreach (var permInfo in permInfos)
{
if (!permInfo.Inherits)
{
allow = 0;
foreach (var entry in permInfo.PermissionSets)
{
if (!principals.Contains(entry.PrincipalId))
continue;
allow |= entry.AllowBits;
deny |= entry.DenyBits;
}
}
foreach (var entry in permInfo.PermissionSets)
{
if (!principals.Contains(entry.PrincipalId))
continue;
deny |= entry.DenyBits;
}
}
//}
if ((deny & mask) != 0)
return PermissionValue.Deny;
if ((allow & mask) != mask)
return PermissionValue.NonDefined;
return PermissionValue.Allow;
}
public void DeletePermissionType(PermissionType permissionType)
{
_target.GetType().GetMethod("DeletePermissionType").Invoke(_target, new object[] { permissionType });
}
public SenseNetSecurityException(string path, PermissionType permissionType, IUser user, string message)
: base(GetMessage(message, path, 0, permissionType, user)) { }
private string SetPermForcedSettingsTest(int operationNumber, Node node, ISecurityMember member, string startState, string expectedState, PermissionType permType, PermissionValue value)
{
return SetForcedSettingsTest(operationNumber, node, member, startState, expectedState, permType, value, false);
}
internal bool HasPermission(string path, IUser user, bool isCreator, bool isLastModifier, PermissionType[] permissionTypes)
{
if (user.Id == -1)
return true;
var value = GetPermission(path, user, isCreator, isLastModifier, permissionTypes);
if (RepositoryConfiguration.TracePermissionCheck)
if (value != PermissionValue.Allow)
Debug.WriteLine(String.Format("HasPermission> {0}, {1}, {2}, {3}", value, String.Join("|", permissionTypes.Select(x => x.Name).ToArray()), user.Username, path));
return value == PermissionValue.Allow;
}
public override void DeletePermissionType(PermissionType permissionType)
{
StringBuilder sb = new StringBuilder();
if (permissionType == null)
throw new ArgumentNullException("permissionType");
sb.Append(CreateCommentLine("Delete PermissionType: ", permissionType.Name));
sb.Append("DELETE FROM [dbo].[SchemaPermissionTypes] WHERE PermissionId = ");
sb.Append(permissionType.Id).AppendLine();
AddScript(sb);
}
protected internal override void SetPermission(int principalId, int nodeId, PermissionType permissionType, bool isInheritable, PermissionValue permissionValue)
{
WriteLog(MethodInfo.GetCurrentMethod(), principalId, nodeId, permissionType, isInheritable, permissionValue);
base.SetPermission(principalId, nodeId, permissionType, isInheritable, permissionValue);
}
internal bool HasSubTreePermission(string path, IUser user, bool isCreator, bool isLastModifier, PermissionType[] permissionTypes)
{
if (user.Id == -1)
return true;
var value = GetSubtreePermission(path, user, isCreator, isLastModifier, permissionTypes);
return value == PermissionValue.Allow;
}
private static void WriteDeletePermissionType(SchemaWriter writer, PermissionType permType)
{
writer.DeletePermissionType(permType);
}
private int GetPermissionMask(PermissionType[] permissionTypes)
{
int mask = 0;
foreach (var permissionType in permissionTypes)
mask = mask | (1 << (permissionType.Id - 1));
return mask;
}
public void SetPermission(IGroup group, bool isInheritable, PermissionType permissionType, PermissionValue permissionValue)
{
if (group == null)
throw new ArgumentNullException("group");
SetPermission(group as ISecurityMember, isInheritable, permissionType, permissionValue);
}
private string SetForcedSettingsTest(int operationNumber, Node node, ISecurityMember member, string startState, string expectedState, PermissionType permType, PermissionValue value, bool acl)
{
ResetSeeOpenOpenMinorPermissions(node, member);
var perms = new PermissionValue[ActiveSchema.PermissionTypes.Count];
var permCount = perms.Length;
for (int i = 0; i < startState.Length; i++)
{
if (startState[i] == '+') perms[permCount - i - 1] = PermissionValue.Allow;
else if (startState[i] == '-') perms[permCount - i - 1] = PermissionValue.Deny;
}
//---- prerequisit
node.Security.SetPermissions(member.Id, true, perms);
//---- test operation
if(acl)
new AclEditor(node).SetPermission(member, true, permType, value).Apply();
else
node.Security.SetPermission(member, true, permType, value);
string result = null;
SecurityEntry entry = null;
foreach (var e in node.Security.GetExplicitEntries())
{
if (e.PrincipalId == member.Id)
{
entry = e;
break;
}
}
if (entry == null)
{
result = "______________";
}
else
{
var chars = new char[permCount];
var values = entry.PermissionValues;
for (int i = 0; i < values.Length; i++)
{
if (values[i] == PermissionValue.Allow) chars[permCount - i - 1] = '+';
else if (values[i] == PermissionValue.Deny) chars[permCount - i - 1] = '-';
else chars[permCount - i - 1] = '_';
}
result = new String(chars);
}
if (result == expectedState)
return null;
return String.Concat("State is '", result, "', expected '", expectedState, "' at operation ", operationNumber);
}
public void SetPermission(IOrganizationalUnit orgUnit, bool isInheritable, PermissionType permissionType, PermissionValue permissionValue)
{
if (orgUnit == null)
throw new ArgumentNullException("orgUnit");
SetPermission(orgUnit as ISecurityMember, isInheritable, permissionType, permissionValue);
}
internal static PermissionType[] GetPermissionTypeFromIdArray(int[] idArray)
{
var result = new PermissionType[idArray.Length];
for (int i = 0; i < idArray.Length; i++)
result[i] = PermissionType.GetById(idArray[i]);
return result;
}
internal static void SetBits(ref int allowBits, ref int denyBits, PermissionType permissionType, PermissionValue permissionValue)
{
var actionBit = 0x1 << (permissionType.Id - 1);
switch (permissionValue)
{
case PermissionValue.Deny:
if (actionBit == SEEBIT)
denyBits |= SAVEGROUPBITS + OPENMINORBIT + OPENBIT + SEEBIT + MANAGELISTSANDWORKSPACESBIT;
else if (actionBit == OPENBIT)
denyBits |= SAVEGROUPBITS + OPENMINORBIT + OPENBIT + MANAGELISTSANDWORKSPACESBIT;
else if (actionBit == OPENMINORBIT)
denyBits |= SAVEGROUPBITS + OPENMINORBIT + MANAGELISTSANDWORKSPACESBIT;
else if (actionBit == SEEPERMISSIONSBIT)
denyBits |= SETPERMISSIONSBIT;
else if (actionBit == SAVEBIT)
denyBits |= MANAGELISTSANDWORKSPACESBIT;
else if (actionBit == ADDNEWBIT)
denyBits |= MANAGELISTSANDWORKSPACESBIT;
else if (actionBit == DELETEBIT)
denyBits |= MANAGELISTSANDWORKSPACESBIT;
denyBits |= actionBit;
allowBits &= ~denyBits;
break;
case PermissionValue.NonDefined:
var abits = 0;
var dbits = 0;
if (actionBit == SEEBIT)
{
abits |= SAVEGROUPBITS + OPENMINORBIT + OPENBIT + SEEBIT;
dbits |= ~(SEEBIT);
}
else if (actionBit == OPENBIT)
{
abits |= SAVEGROUPBITS + OPENMINORBIT + OPENBIT;
dbits |= ~(SEEBIT | OPENBIT);
}
else if (actionBit == OPENMINORBIT)
{
abits |= SAVEGROUPBITS + OPENMINORBIT;
dbits |= ~(SEEBIT | OPENBIT | OPENMINORBIT);
}
else if ((actionBit & SAVEGROUPBITS) != 0)
{
abits |= actionBit;
dbits |= ~(actionBit | OPENMINORBIT | OPENBIT | SEEBIT);
}
else if (actionBit == SEEPERMISSIONSBIT)
{
abits |= SETPERMISSIONSBIT + SEEPERMISSIONSBIT;
dbits |= ~SEEPERMISSIONSBIT;
}
else if (actionBit == SETPERMISSIONSBIT)
{
abits |= SETPERMISSIONSBIT;
dbits |= ~(SETPERMISSIONSBIT | SEEPERMISSIONSBIT);
}
else if (actionBit == RUNAPPLICATIONBIT)
{
abits |= RUNAPPLICATIONBIT;
dbits |= ~(RUNAPPLICATIONBIT);
}
else if (actionBit == MANAGELISTSANDWORKSPACESBIT)
{
abits |= MANAGELISTSANDWORKSPACESBIT;
dbits |= ~(MANAGELISTSANDWORKSPACESBIT);
}
else
{
dbits = ~0;
}
allowBits &= ~abits;
denyBits &= dbits;
break;
case PermissionValue.Allow:
if ((actionBit & SAVEGROUPBITS) > 0)
allowBits |= actionBit + SEEBIT + OPENBIT + OPENMINORBIT;
else if (actionBit == OPENMINORBIT)
allowBits |= actionBit + SEEBIT + OPENBIT;
else if (actionBit == OPENBIT)
allowBits |= actionBit + SEEBIT;
else if (actionBit == SETPERMISSIONSBIT)
allowBits |= SEEPERMISSIONSBIT;
else if (actionBit == MANAGELISTSANDWORKSPACESBIT)
allowBits |= actionBit + SEEBIT + OPENBIT + OPENMINORBIT + SAVEBIT + ADDNEWBIT + DELETEBIT;
allowBits |= actionBit;
denyBits &= ~allowBits;
break;
default:
throw new NotSupportedException("Unknown PermissionValue: " + permissionValue);
}
}
public abstract void DeletePermissionType(PermissionType permissionType);
public SenseNetSecurityException(string path, PermissionType permissionType)
: base(GetMessage(null, path, 0, permissionType, null)) { }
private static string GetPermissionCacheKey(int principalID, int nodeID, PermissionType type)
{
return string.Format(CultureInfo.InvariantCulture, "SN:NodePermissionCache:{0}:{1}:{2}", principalID, nodeID, type.Id);
}
public SenseNetSecurityException(int nodeId, PermissionType permissionType)
: base(GetMessage(null, null, nodeId, permissionType, null)) { }
public void DeletePermissionType(PermissionType permissionType)
{
if (permissionType.SchemaRoot != this)
throw new SchemaEditorCommandException(SR.Exceptions.Schema.Msg_InconsistentHierarchy);
this.PermissionTypes.Remove(permissionType);
}
public AclEditor SetPermission(ISecurityMember securityMember, bool propagates, PermissionType permissionType, PermissionValue permissionValue)
{
return SetPermission(securityMember.Id, propagates, permissionType, permissionValue);
}
internal PermissionValue GetPermission(string path, IUser user, bool isCreator, bool isLastModifier, PermissionType[] permissionTypes)
{
if (user.Id == -1)
return PermissionValue.Allow;
//==>
var principals = GetPrincipals(user, isCreator, isLastModifier);
var allow = 0;
var deny = 0;
var firstPermInfo = GetFirstInfo(path);
if (firstPermInfo.Path == path)
firstPermInfo.AggregateLevelOnlyValues(principals, ref allow, ref deny);
for (var permInfo = firstPermInfo; permInfo != null; permInfo = permInfo.Inherits ? permInfo.Parent : null)
permInfo.AggregateEffectiveValues(principals, ref allow, ref deny);
//==<
var mask = GetPermissionMask(permissionTypes);
if ((deny & mask) != 0)
return PermissionValue.Deny;
if ((allow & mask) != mask)
return PermissionValue.NonDefined;
return PermissionValue.Allow;
}
private static void PermissionTypeToXml(PermissionType permType, StringBuilder sb, string indent)
{
sb.Append(indent).AppendLine(String.Format(CultureInfo.CurrentCulture, "<PermissionType itemID=\"{0}\" name=\"{1}\" />", permType.Id, permType.Name));
}
private SnPermission GetSnPerm(SnAccessControlEntry entry, PermissionType permType)
{
return entry.Permissions.Where(p => p.Name == permType.Name).First();
}
protected internal override void SetPermission(int principalId, int nodeId, PermissionType permissionType, bool isInheritable, PermissionValue permissionValue)
{
SqlProcedure cmd = null;
try
{
cmd = new SqlProcedure { CommandText = "proc_Security_SetPermission" };
cmd.Parameters.Add("@PrincipalId", SqlDbType.Int).Value = principalId;
cmd.Parameters.Add("@NodeId", SqlDbType.Int).Value = nodeId;
cmd.Parameters.Add("@PermissionTypeId", SqlDbType.Int).Value = permissionType.Id;
cmd.Parameters.Add("@IsInheritable", SqlDbType.TinyInt).Value = isInheritable ? (byte)1 : (byte)0;
cmd.Parameters.Add("@PermissionValue", SqlDbType.TinyInt).Value = (byte)permissionValue;
cmd.ExecuteNonQuery();
}
finally
{
cmd.Dispose();
}
}
public abstract void DeletePermissionType(PermissionType permissionType);